Placing GRC and Supplier Governance in the Risk Management Jigsaw

Many organizations attempt a single software solution approach to address two overlapping but separate aspects of their supply chain – risk management and supplier governance. This approach has not proved to be successful as no software on the market today does both well. What is needed is a combination of two applications to achieve these goals.

We commonly find that the risk management strategy for large organizations is built around Governance, Risk and Compliance (GRC) tools. They typically approach risk management in a top-down manner where the focus is on the reporting aspect to report key risks that could affect an organization’s interests in their third party engagements. This involves generating a consolidated risk view through some type of a risk register reporting against preset ratios/parameters including, amongst others, financial stability, key staffing, business continuity, geographical risk, etc. Most of the source data required for this analysis comes from third party databases.

In our assessment, there are two overlapping but separate goals that companies need to accomplish while managing supplier relationships:

Full supplier governance, particularly for complex key or strategic services

Now there is nothing wrong with leveraging GRC tools for risk management – in fact they need to be part of any sensible risk management strategy. However, it must be understood that this traditional approach is no longer adequate by itself and needs to be expanded/enhanced. For most large enterprises today, 80-90% of their third party spend is usually with 10-20% of suppliers. These engagements are typically of large scale (multi-million dollar engagements) and the term ranges from 3 to 5 years. While regulatory, policy, and compliance risk management is imperative, robust management of contractual, performance and governance risk becomes critical for effective risk management in these supplier arrangements.

As organizations try to manage the latter using GRC tools, they quickly understand that the data required to validate the underlying risk components is not readily available. GRC tools are good at reporting and analyzing risk but they are not capable of generating/managing the underlying data needed to manage contractual and performance risks. Hence this data needs to be obtained from the source where it originates, i.e. the contract.

Many of the risk obligations are typically spelled out in detail in the services contracts in the form of one-time or repeatable obligations. It is not possible to manage such risk without obligation level contract management capabilities. This becomes especially difficult to manage as the contractual obligations keep evolving during the term of the engagement. In order to effectively govern such engagements, organizations need the ability to:

capture, maintain and track contracts at the obligation level throughout the term of the agreement

manage contract change and interpretations in a centralized and auditable manner

measure, track and report performance against service-levels and non-service level obligations and tie it back to the contracts

manage governance forum issues and actions, and analyze them for risk trends

evaluate the organization’s governance process health

track a supplier’s compliance to policy and regulations

ensure supplier audits as contractually stipulated

The GRC tools market is pretty mature and it is generally quite straightforward for an organization to identify the solution that meets their requirements. For supplier governance, however, an organization needs to evaluate its options more carefully. Some organizations pick the manual option of staffing internal/external teams to govern such engagements. This involves extensive manual effort, and may not perform favorably in terms of expense, efficiency and effectiveness. Similarly, generic procurement technologies such as P2P tools, ITSM tools and even traditional contract management tools were not designed for governance of more complex services engagements and hence fall short.

There are a few specialized supplier governance tools, like Sirion, purpose-built for contractual, performance and governance risk management in services engagements by capturing and managing the data from the contract at a granular, obligation level. Such tools are able to capture and track risk obligations in the contract – e.g. insurance certification, regulatory compliance, etc. Intelligent workflows and advanced reporting capabilities facilitate and validate the completion of individual risk obligations. Sophisticated analytics capabilities help analyze trends in obligation performance across suppliers, proactively identify and address governance issues before they turn into disputes, etc.

I would like to conclude by reiterating that a healthy foundation of supplier governance ensures that the overall risk reporting is credible. Without it, risk assessments will always be suspect. My recommendation is for companies to deploy a combination of a solid supplier governance technology and a competent GRC tool for credible risk management.